在 2017/2/11 2:26, t...@ritter.vg 写道:
On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote:
I thought I enumerated the harm at first, but I'll elaborate a little.
1) Flash doesn't know about and breaks our "current and subdirectory only"
file: origin policy.
2) Flash is a high-risk attack surface: if you can get somebody to download
a SWF they can probably own your system. We don't have anyone testing or
defending this effectively.
So we believe that there is significant harm in the current situation, and
very little upside.
I think #1 is sufficient to remove this behavior, even ignoring #2. A malicious
flash applet open opened from file:// can read the user's profile, take all
their saved passwords, cookies, etc and steal data, masquerade as them, and
perform all manner of malicious activity.
I agree that this is a problem, but I disagree that Firefox must remove
this behavior now.
* This behavior has existed for decades in all desktop browsers, and the
usage of Flash is declining, which means the threaten is also declining.
So I don't see the reason for an immediate removal.
* Flash plugin is still actively maintained by Adobe, so I think you can
ask them to restrict permissions for local Flash contents.
This would benifit all browsers, not just Firefox.
-tom
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform